> > 2) There are two (or more) keys in a DNSSEC RRset that match an RRSIG recor > d. > > This is the expensive part. > > This is not expensive. It is still cheap with the limit or 2 or 3 > failures allowed. I mean, compare this to do doing DoH to all auth > servers, this crypto operation amounts to nothing.
It is exactly this limit that causes trouble for some validator software. I don't know why you are comparing this to DoH to all auth servers. As far as I know, no resolver does DoH all auth servers, if only because most auth servers don't support DoH in the first place. _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
